Analysis
-
max time kernel
205s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
24-11-2022 15:07
General
-
Target
cdb783b80c0a2df75b038b990d5cb30734a5600f645a44a93fce9008e46eb6cd.exe
-
Size
136KB
-
MD5
7f06fe8ed1368c414e2c5ca868121bd7
-
SHA1
375dd9b836940e1467733f4add28fbd091064e50
-
SHA256
cdb783b80c0a2df75b038b990d5cb30734a5600f645a44a93fce9008e46eb6cd
-
SHA512
89ebfd624dc92b8b5a6c0f4a8d5ab9285ca7baa2f3367ca9e1bee5856104e4697d1da7c80aab487dd014d5daa6f5978dcc6cf5037976bb139bf19268b69b6f2e
-
SSDEEP
3072:773svvrRFIrNpR0FyLBhtBB8zTQei1eJebIFK+XGuYOjr+utBD2At0DIZ192CiIJ:nMFBQsK1g7CCiuQhI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Drops startup file 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 3 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdb783b80c0a2df75b038b990d5cb30734a5600f645a44a93fce9008e46eb6cd.exe"C:\Users\Admin\AppData\Local\Temp\cdb783b80c0a2df75b038b990d5cb30734a5600f645a44a93fce9008e46eb6cd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\svchost.exe"C:\Users\Admin\AppData\Local\Temp\System\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD57f06fe8ed1368c414e2c5ca868121bd7
SHA1375dd9b836940e1467733f4add28fbd091064e50
SHA256cdb783b80c0a2df75b038b990d5cb30734a5600f645a44a93fce9008e46eb6cd
SHA51289ebfd624dc92b8b5a6c0f4a8d5ab9285ca7baa2f3367ca9e1bee5856104e4697d1da7c80aab487dd014d5daa6f5978dcc6cf5037976bb139bf19268b69b6f2e
-
Filesize
136KB
MD57f06fe8ed1368c414e2c5ca868121bd7
SHA1375dd9b836940e1467733f4add28fbd091064e50
SHA256cdb783b80c0a2df75b038b990d5cb30734a5600f645a44a93fce9008e46eb6cd
SHA51289ebfd624dc92b8b5a6c0f4a8d5ab9285ca7baa2f3367ca9e1bee5856104e4697d1da7c80aab487dd014d5daa6f5978dcc6cf5037976bb139bf19268b69b6f2e
-
Filesize
2B
MD5bafd7322c6e97d25b6299b5d6fe8920b
SHA1816c52fd2bdd94a63cd0944823a6c0aa9384c103
SHA2561ea442a134b2a184bd5d40104401f2a37fbc09ccf3f4bc9da161c6099be3691d
SHA512a145800e53a326d880f4b513436e54a0ab41efc8fdd4f038c0edae948e5ae08d2a7077d5bb648415078dda2571fe92c4d6fa2130a80f53d9dd329e7040729e81
-
Filesize
16.6MB
-
Filesize
124KB
-
Filesize
124KB
-
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
16.6MB